Unrated severityNVD Advisory· Published Jun 22, 2026· Updated Jun 22, 2026

Path Traversal in Loki Datasource leads to Internal Information Disclosure

CVE-2026-42129

Description

The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints (e.g. /config, /services, /ready) to extract sensitive backend configuration and internal service information.

Affected products

Grafana/Databricks Datasource Pluginllm-fuzzy

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

grafana.com/security/security-advisories/cve-2026-42129mitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000